David Horrigan writes about the case over on the Relativity blog, where collecting the thumbprint of a 14 year old without notifying the parent violated the states biometric information law (BIPA), and the Court has ruled they could sue without needing to prove he was “harmed” by the data collection.
That’s interesting, for sure, but where it gets really interesting is if this ruling gets applied when it comes to data breaches.
Should one be able to prevail in data protection litigation just because they can show, as in In re Zappos, that their information’s out there as the result of a data breach—without having to show they were actually harmed by its exposure?
Is it harm enough to have to worry about what hackers are doing with your data after a breach?
Now, I’m not a lawyer and don’t know what the courts will ultimately decide in that regard. But, I am someone’s who’s data has been breached, and am also fairly opinionated when it comes to the subject, so here it goes.
First, I think despite the huge data breaches that have made headlines around the world, we have not seen real punishment for companies that did not protect data appropriately. I think the reasons for that are many, but fall into two main areas.
- It’s somewhat difficult to prove a company that was breached was negligent in their data protection work. How much security is enough, and how much is too little?
- The victims haven’t been harmed enough to really make it a big deal.
Let me explain the second point better with a true story.
Once upon a time, my credit card information was stolen through a POS hack at a restaurant. It was one that was in the news, and it was fairly obvious that was where my card info was stolen because a week later, someone tried to buy a couple of iPads in NYC using my card. It got flagged by the credit card company, I was able to dispute the charge, get a new card, and go on like it never happened.
Was I “harmed” by it? In the traditional sense, no. I didn’t have to pay out anything for those bogus charges. The bank or store where the purchases were made were the ones who lost money due to the data breach, not me.
On the other hand, did I have to spend time disputing the charges, making phone calls, getting a new card, etc.? Yes, I did. Did I now need to worry about my credit report and what other information would be floating around the DarkWeb about my purchase at that restaurant? Yes, I do.
The question is, can that be considered “harm” enough to let me sue the restaurant for not protecting my data?
It is my opinion that because we are only put out, but not made to pay a financial cost when these things occur, we don’t scream, and demand better data protection, and because the companies who were breached aren’t being screamed at and made to answer by their customers when this happens, it’s easy to see it as a risk, but not a RISK.
The new GDPR rules around data privacy have started to increase the risk though.. Suddenly, at least for EU users, hanging on to the data without permission, or not protecting it, has become a pretty big risk.
Frankly, it should be a RISK to hold onto anyone’s data and not adequately protect it everywhere though. A ruling that says every single customer who’s data was lost could sue you for some level of damages, would make that a gigantic risk. It would get companies thinking twice about collecting the data in the first place, and it would fundamentally change the advertising model that is currently driving much of the Internet. Because having to pay out even small amounts to all of the million users who’s data you lost, would bankrupt many companies. (Let alone something like Facebook.) They would need to rethink their very business models around data collection and advertising.
That’s not necessarily a bad thing, by the way., but it would be messy.
Alas, the court rulings thus far, as David points out, are all over the place. It’ll be interesting to see if the courts are willing to cause this much upheaval.
But it’s an interesting thought experiment to consider all of the knock-on affects it would have, because the collection and storage of personal and confidential data is a risk. One that companies, law firms, government agencies, etc. should be taking very seriously, even if each individual person can’t sue you for it.